Online Tools For Bug Disclosure Abound

PayPal was one of the pioneers of internal bug bounty programs. But like other companies that have led the curve with in-house programs that pay researchers a fee for finding valid vulnerabilities in their software, the digital payment firm found that running such a program is no easy feat.

"It's very difficult to have enough resources internally to manage the program and match wits with researchers out in the world," says Gus Anagnos, who developed and ran PayPal's two-year-old internal bug program.

Fielding bug submissions as they come in and budgeting for the payments to researchers is challenging. "It's also very difficult to manage researchers and the expectations they have in payment and time to fix," says Anagnos, who left PayPal this year to become vice president of strategy and operations at Synack, a startup offering a vulnerability disclosure program and other security services.

"The reason I joined Synack is that I noticed, even though there's a tremendous amount of value in having bug bounty programs, it's still very difficult to run them internally," he says. "I left PayPal to come to Synack to take a great bug bounty model and create a new model more than the traditional bug bounty program, and to address items that in-house programs have a hard time" addressing.

Synack, like newcomers Bugcrowd and HackerOne, offers companies an online platform for coordinating vulnerability disclosure, a process that traditionally has been conducted via email correspondence. The company hires out a small group of hand-picked outside researchers who provide its vulnerability discovery service.

Anagnos says Synack technically is not a "middleman" nor a bug bounty service. "We provide a technology platform that automates the process" that vetted and trusted security professionals use to find vulnerabilities that only humans can find, he says.

Its outside research team spans 21 countries and consists of members whose day jobs are in academia, government, Google, Facebook, and PayPal.

The social media firm Tagged.com initially launched its own bug bounty program in-house, but it soon began to overwhelm the company's IT staff. "We started receiving bug bounty submissions, and our help desk spent the majority of time validating bugs, which in essence wasn't scalable," says Boris Sverdlik, who worked on the program. Sverdlik is now head of infrastructure security for the digital branding software firm TubeMogul.

"Some researchers were trying to get paid on every hit on our [Tagged.com] API," he recalls. So Tagged solicited Bugcrowd's online bug bounty services to get a grip on the disclosures it was fielding. "Bugcrowd maintains a 'do not test list'… We worked with them to go through the list and block what we don't want to see, and that increased the efficiency of my group. And we were able to offload the validation and auditing."

Vulnerability disclosure has gone through a major transformation over the past five years. For a long time, researchers got either a shout-out or shouted at for their discoveries -- if a vendor even responded at all. Many were threatened with legal action.

The game changer that made bug bounties more of a mainstream phenomenon came last year, when Microsoft, one of the biggest bug bounty holdouts among software vendors, finally threw its hat in the ring with a bugs for bucks program of its own. Katie Moussouris, then senior security strategist at Microsoft, spearheaded the move, joining Facebook, Google, Mozilla, and PayPal, which preceded Microsoft with programs of their own.

Moussouris left Microsoft in May of this year for HackerOne, a startup that spun off a bug bounty project initially funded in part by Microsoft and Facebook. She's now chief policy officer and works alongside former Facebook director of security Alex Rice, who is now CTO of HackerOne. The startup's free online platform automates the vulnerability disclosure process between the researchers who find the bugs and the affected software vendors and websites. HackerOne charges a 20% service charge when a bounty payment is transacted.

"I'm thrilled there is an industry now" for vulnerability disclosure, Moussouris says. "Where the bad guy would find a vulnerability before an organization fixed it, you can now tap into a worldwide pool of security researchers. It's been a very powerful thing."

Microsoft and other firms have data showing "a tapering off" of software flaws after the initial spike when the programs begin, she says. "We've seen this with a number of our customers" at HackerOne.

The biggest misconception is that a vulnerability disclosure program should automatically include a bounty program from the get-go. However, "starting with a bounty" as part of the program "is not the best idea for everyone," she says. "Starting a bounty from the onset may seem like a cool and trendy idea, but if you're not solid in what you're going to do with that process, you're going to have a bad experience."

Firms with a limited software portfolio find it's more straightforward to have the bounty rolled in right away, according to Moussouris, but that's not the case for firms with larger software sets.

For researchers, the new model of online community and for-hire vulnerability disclosure is much less painful -- and often much more lucrative than in the old days. It wasn't long ago that a security researcher could get sued for reporting a vulnerability to a vendor or online business. "It used to be really scary," says one of Bugcrowd's most prolific bug-finders, a researcher who hunts for bugs after his day job at a software firm and asked his name not be published. "Now we won't get sued."

Bugcrowd is a crowdsourced site that also helps organizations set up bug bounty programs online. It offers a free vulnerability disclosure platform called Crowdcontrol, where researchers submit their vulnerability finds to the affected site or software vendor, and those discoveries get vetted.

Casey Ellis, co-founder and CEO of Bugcrowd, says the firm charges a fee for any bug bounty payment transactions. "They can use the platform itself and the triage team we have in-house" for free.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

I think the pressure's on for companies to pony up with bug bounties. I keep flashing back to Dino Dai Zovi/Charlie Miller/Alexander Sotirov's "No More Free Bugs" banner and meme from a few years ago that started this shift. Overall, there are fewer significant vulns to find in major software, so some bugs are definitely more valuable and bounty-worthy than others. Not all companies are ready for this, obviously, but it's definitely a seismic shift with these free vuln disclosure program tools and online tools for bug bounty programs.

Great story, Kelly! I wonder, though, if the proliferation of bug bounties is eroding the notion of "responsible disclosure" and the revelation of vulnerabilities for the simple reason of protecting users. Do you (and others here) think that tomorrow's security researchers will no longer disclose their findings unless they are properly paid?

A big takeaway here is there are now (free) tools for organizations that want to set up a professional and organized process for fielding security vulnerability reports, as well as a potential avenue for setting up a bug bounty program (for a fee). As for researchers, it's a safe way to report & potentially sell their findings.

This is great news to hear! In the past, I can remember thinking to myself, should I tell Microsoft about this bug or just keep it to myself. The fear of being sued was, and in some cases still, very real.